diff --git a/hosts/rico2/wireguard.nix b/hosts/rico2/wireguard.nix
index 956660a..2ed8f9c 100644
--- a/hosts/rico2/wireguard.nix
+++ b/hosts/rico2/wireguard.nix
@@ -5,6 +5,7 @@
 }: let
   inherit (secrets.wireguard_config) peers;
 in {
+  networking.firewall.trustedInterfaces = ["wg0"];
   networking.wireguard = {
     enable = true;
     interfaces = {
diff --git a/hosts/skipper/wireguard.nix b/hosts/skipper/wireguard.nix
index 956660a..2ed8f9c 100644
--- a/hosts/skipper/wireguard.nix
+++ b/hosts/skipper/wireguard.nix
@@ -5,6 +5,7 @@
 }: let
   inherit (secrets.wireguard_config) peers;
 in {
+  networking.firewall.trustedInterfaces = ["wg0"];
   networking.wireguard = {
     enable = true;
     interfaces = {